Fake email from R. Kern Engineering “inv.# 57949” contains malicious Word document


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “inv.# 57949” (numbers will vary).

This email is send from the spoofed address “eileenmeade@kerneng.com” and has the following body:

Here is your invoice & Credit Card Receipt.

Eileen Meade
R. Kern Engineering & Mfg Corp.
Accounting
909) 664-2442
Fax 909) 664-2116

The attached file SKMBT_C552D150123_16106.doc is a Word file with embedded macro that wll download the executable bin.exe from the following locations:

hxxp://UKR-TECHTRAININGDOMAIN.COM/js/bin.exe
hxxp://schreinerei-ismer.homepage.t-online.de/js/bin.exe

The trojan is known as W32/Injector.BTAV!tr, Kryptik.CEWB or Mal/Wonton-AN.

At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 23bbf7b1407bb9e657160f0545facc1d2634d5ba55d67bfaef3685194aa66ec1

One thought on “Fake email from R. Kern Engineering “inv.# 57949” contains malicious Word document

Comments are closed.